<div class="literalblock">\r
<div class="content">\r
<pre><code> ,,_ -*> Snort++ <*-\r
-o" )~ Version 3.0.0 (Build 252) from 2.9.11\r
+o" )~ Version 3.0.0 (Build 254) from 2.9.11\r
'''' By Martin Roesch & The Snort Team\r
http://snort.org/contact#team\r
Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.\r
based but with syntax tweaks, so your 2.X rules must be fixed up. However,\r
snort2lua will help you convert your conf and rules to the new format.</p></div>\r
<div class="sect3">\r
-<h4 id="_environment">Environment</h4>\r
-<div class="paragraph"><p>LUA_PATH must be set based on your install:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>LUA_PATH=$install_prefix/include/snort/lua/\?.lua\;\;</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>SNORT_LUA_PATH must be set to load auxiliary configuration files if you use\r
-the default snort.lua. For example:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>export SNORT_LUA_PATH=$install_prefix/etc/snort</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect3">\r
<h4 id="_command_line">Command Line</h4>\r
<div class="paragraph"><p>A simple command line might look like this:</p></div>\r
<div class="literalblock">\r
</div>\r
<div class="sect2">\r
<h3 id="_running">Running</h3>\r
-<div class="paragraph"><p>First set up the environment:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>export LUA_PATH=$my_path/include/snort/lua/\?.lua\;\;\r
-export SNORT_LUA_PATH=$my_path/etc/snort/</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Then give it a go:</p></div>\r
+<div class="paragraph"><p>Examples:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
</div>\r
<div class="sect2">\r
<h3 id="_common_errors">Common Errors</h3>\r
-<div class="paragraph"><p><em>FATAL: snort_config is required</em></p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-add this line near top of file:\r
-</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>require('snort_config')</code></pre>\r
-</div></div>\r
-</li>\r
-</ul></div>\r
<div class="paragraph"><p><em>PANIC: unprotected error in call to Lua API (cannot open\r
snort_defaults.lua: No such file or directory)</em></p></div>\r
<div class="ulist"><ul>\r
Snort install directory. Additionally, it is assumed that "$my_path/bin"\r
is in your PATH.</p></div>\r
<div class="sect2">\r
-<h3 id="_environment_2">Environment</h3>\r
-<div class="paragraph"><p>LUA_PATH is used directly by Lua to load and run required libraries.\r
-SNORT_LUA_PATH is used by Snort to load supplemental configuration files.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>export LUA_PATH=$my_path/include/snort/lua/\?.lua\;\;\r
-export SNORT_LUA_PATH=$my_path/etc/snort</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect2">\r
<h3 id="_help_2">Help</h3>\r
<div class="paragraph"><p>Print the help summary:</p></div>\r
<div class="literalblock">\r
based on a specific HTTP header:</p></div>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>require("snort_config")</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>dir = os.getenv('SNORT_LUA_PATH')</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>if ( not dir ) then\r
- dir = '.'\r
-end</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>dofile(dir .. '/snort_defaults.lua')</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>local_rules =\r
-[[\r
-block http ( msg:"openAppId: test content match for app http";\r
-content:"X-Header: malicious"; sid:18760; rev:4; )\r
-]]</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
<pre><code>stream = { }</code></pre>\r
</div></div>\r
<div class="literalblock">\r
</div></div>\r
<div class="literalblock">\r
<div class="content">\r
+<pre><code>local_rules =\r
+[[\r
+block http ( msg:"openAppId: test content match for app http";\r
+content:"X-Header: malicious"; sid:18760; rev:4; )\r
+]]</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
<pre><code>ips =\r
{\r
rules = local_rules,\r
</li>\r
<li>\r
<p>\r
-string <strong>alerts.order</strong> = pass drop alert log: change the order of rule action application\r
+string <strong>alerts.order</strong> = pass reset block drop alert log: change the order of rule action application\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-multi <strong>network.checksum_eval</strong> = none: checksums to verify { all | ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }\r
+multi <strong>network.checksum_eval</strong> = all: checksums to verify { all | ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--alert-before-pass</strong>: process alert, drop, sdrop, or reject before pass; default is pass before alert, drop,…\r
+implied <strong>snort.--alert-before-pass</strong>: evaluate alert rules before pass rules; default is pass rules first\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+string <strong>snort.--include-path</strong>: <path> where to find Lua and rule included files; searched before current or config directories\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>snort.--list-buffers</strong>: output available inspection buffers\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--parsing-follows-files</strong>: parse relative paths from the perspective of the current configuration file\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
string <strong>snort.--pcap-file</strong>: <file> file that contains a list of pcaps to read - read mode is implied\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+implied <strong>snort.--show-file-codes</strong>: indicate how files are located: A=absolute and W, F, C which are relative to the working directory, including file, and config file respectively\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>snort.--show-plugins</strong>: list module and plugin versions\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--treat-drop-as-alert</strong>: converts drop, sdrop, and reject rules into alert rules during startup\r
+implied <strong>snort.--treat-drop-as-alert</strong>: converts drop, block, and reset rules into alert rules when loaded\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--treat-drop-as-ignore</strong>: use drop, sdrop, and reject rules to ignore session traffic when not inline\r
+implied <strong>snort.--treat-drop-as-ignore</strong>: use drop, block, and reset rules to ignore session traffic when not inline\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>LUA_PATH</strong>: you must export as follows so LuaJIT can find required\r
- files.\r
-</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>LUA_PATH=$install_dir/include/snort/lua/\?.lua\;\;</code></pre>\r
-</div></div>\r
-</li>\r
-<li>\r
-<p>\r
<strong>SNORT_IGNORE</strong>: the list of symbols Snort should ignore when parsing the\r
Lua conf. Unknown symbols not in SNORT_IGNORE will cause warnings with\r
--warn-unknown or fatals with --warn-unknown --pedantic.\r
</li>\r
<li>\r
<p>\r
-<strong>SNORT_LUA_PATH</strong>: an optional path where Snort can find supplemental conf\r
- files such as classification.lua.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>SNORT_PROMPT</strong>: the character sequence that is printed at startup,\r
shutdown, and in the shell. The default is the mini-pig: o")~ .\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--alert-before-pass</strong> process alert, drop, sdrop, or reject before pass; default is pass before alert, drop,…\r
+<strong>--alert-before-pass</strong> evaluate alert rules before pass rules; default is pass rules first\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>--include-path</strong> <path> where to find Lua and rule included files; searched before current or config directories\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>--list-buffers</strong> output available inspection buffers\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>--parsing-follows-files</strong> parse relative paths from the perspective of the current configuration file\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>--pcap-file</strong> <file> file that contains a list of pcaps to read - read mode is implied\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>--show-file-codes</strong> indicate how files are located: A=absolute and W, F, C which are relative to the working directory, including file, and config file respectively\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>--show-plugins</strong> list module and plugin versions\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>--treat-drop-as-alert</strong> converts drop, sdrop, and reject rules into alert rules during startup\r
+<strong>--treat-drop-as-alert</strong> converts drop, block, and reset rules into alert rules when loaded\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--treat-drop-as-ignore</strong> use drop, sdrop, and reject rules to ignore session traffic when not inline\r
+<strong>--treat-drop-as-ignore</strong> use drop, block, and reset rules to ignore session traffic when not inline\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>alerts.order</strong> = pass drop alert log: change the order of rule action application\r
+string <strong>alerts.order</strong> = pass reset block drop alert log: change the order of rule action application\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-multi <strong>network.checksum_eval</strong> = none: checksums to verify { all | ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }\r
+multi <strong>network.checksum_eval</strong> = all: checksums to verify { all | ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--alert-before-pass</strong>: process alert, drop, sdrop, or reject before pass; default is pass before alert, drop,…\r
+implied <strong>snort.--alert-before-pass</strong>: evaluate alert rules before pass rules; default is pass rules first\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+string <strong>snort.--include-path</strong>: <path> where to find Lua and rule included files; searched before current or config directories\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
port <strong>snort.-j</strong>: <port> to listen for Telnet connections\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--parsing-follows-files</strong>: parse relative paths from the perspective of the current configuration file\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
implied <strong>snort.--pause</strong>: wait for resume/quit command before processing packets/terminating\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+implied <strong>snort.--show-file-codes</strong>: indicate how files are located: A=absolute and W, F, C which are relative to the working directory, including file, and config file respectively\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>snort.--show-plugins</strong>: list module and plugin versions\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--treat-drop-as-alert</strong>: converts drop, sdrop, and reject rules into alert rules during startup\r
+implied <strong>snort.--treat-drop-as-alert</strong>: converts drop, block, and reset rules into alert rules when loaded\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--treat-drop-as-ignore</strong>: use drop, sdrop, and reject rules to ignore session traffic when not inline\r
+implied <strong>snort.--treat-drop-as-ignore</strong>: use drop, block, and reset rules to ignore session traffic when not inline\r
</p>\r
</li>\r
<li>\r
change -> stream5_global: 'max_tcp' ==> 'max_sessions'\r
change -> stream5_global: 'max_udp' ==> 'max_sessions'\r
change -> stream5_global: 'min_response_seconds' ==> 'min_interval'\r
-change -> stream5_global: 'prune_log_max' ==> 'histogram'\r
change -> stream5_global: 'tcp_cache_nominal_timeout' ==> 'pruning_timeout'\r
change -> stream5_global: 'tcp_cache_pruning_timeout' ==> 'idle_timeout'\r
change -> stream5_global: 'udp_cache_nominal_timeout' ==> 'idle_timeout'\r
<div id="footer">\r
<div id="footer-text">\r
Last updated\r
- 2019-04-10 13:56:30 EDT\r
+ 2019-04-26 17:06:59 EDT\r
</div>\r
</div>\r
</body>\r
4. Usage
- 4.1. Environment
- 4.2. Help
- 4.3. Sniffing and Logging
- 4.4. Configuration
- 4.5. IDS mode
- 4.6. Plugins
- 4.7. Output Files
- 4.8. DAQ Alternatives
- 4.9. Logger Alternatives
- 4.10. Shell
- 4.11. Signals
+ 4.1. Help
+ 4.2. Sniffing and Logging
+ 4.3. Configuration
+ 4.4. IDS mode
+ 4.5. Plugins
+ 4.6. Output Files
+ 4.7. DAQ Alternatives
+ 4.8. Logger Alternatives
+ 4.9. Shell
+ 4.10. Signals
5. Features
Snorty
,,_ -*> Snort++ <*-
-o" )~ Version 3.0.0 (Build 252) from 2.9.11
+o" )~ Version 3.0.0 (Build 254) from 2.9.11
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.
be fixed up. However, snort2lua will help you convert your conf and
rules to the new format.
-1.2.1. Environment
-
-LUA_PATH must be set based on your install:
-
-LUA_PATH=$install_prefix/include/snort/lua/\?.lua\;\;
-
-SNORT_LUA_PATH must be set to load auxiliary configuration files if
-you use the default snort.lua. For example:
-
-export SNORT_LUA_PATH=$install_prefix/etc/snort
-
-1.2.2. Command Line
+1.2.1. Command Line
A simple command line might look like this:
--lua 'ips.enable_builtin_rules = true'
-1.2.3. Configuration File
+1.2.2. Configuration File
The configuration file gives you complete control over how Snort
processes packets. Start with the default snort.lua included in the
active = { max_responses = 1, min_interval = 5 }
-1.2.4. Rules
+1.2.3. Rules
Rules determine what Snort is looking for. They can be put directly
in your Lua configuration file with the ips module, on the command
You can use both approaches together.
-1.2.5. Converting Your 2.X Configuration
+1.2.4. Converting Your 2.X Configuration
If you have a working 2.X configuration snort2lua makes it easy to
get up and running with Snort 3. This tool will convert your
--------------
-First set up the environment:
-
-export LUA_PATH=$my_path/include/snort/lua/\?.lua\;\;
-export SNORT_LUA_PATH=$my_path/etc/snort/
-
-Then give it a go:
+Examples:
* Get some help:
--------------
-FATAL: snort_config is required
-
- * add this line near top of file:
-
- require('snort_config')
-
PANIC: unprotected error in call to Lua API (cannot open
snort_defaults.lua: No such file or directory)
"$my_path/bin" is in your PATH.
-4.1. Environment
-
---------------
-
-LUA_PATH is used directly by Lua to load and run required libraries.
-SNORT_LUA_PATH is used by Snort to load supplemental configuration
-files.
-
-export LUA_PATH=$my_path/include/snort/lua/\?.lua\;\;
-export SNORT_LUA_PATH=$my_path/etc/snort
-
-
-4.2. Help
+4.1. Help
--------------
"--list-" options, so any other options should be placed before them.
-4.3. Sniffing and Logging
+4.2. Sniffing and Logging
--------------
snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap' -L dump -l /path/to/log/dir
-4.4. Configuration
+4.3. Configuration
--------------
snort --script-path /path/to/script/dir
-4.5. IDS mode
+4.4. IDS mode
--------------
-A cmg
-4.6. Plugins
+4.5. Plugins
--------------
END
-4.7. Output Files
+4.6. Output Files
--------------
default to stdout. These options can be combined.
-4.8. DAQ Alternatives
+4.7. DAQ Alternatives
--------------
--daq-dir $my_path/lib/snort/daqs --daq socket
-4.9. Logger Alternatives
+4.8. Logger Alternatives
--------------
--lua "alert_csv = { fields = 'pkt_num gid sid rev', separator = '\t' }"
-4.10. Shell
+4.9. Shell
--------------
are welcome.
-4.11. Signals
+4.10. Signals
--------------
Below is a minimal Snort configuration that is sufficient to block
flows based on a specific HTTP header:
-require("snort_config")
-
-dir = os.getenv('SNORT_LUA_PATH')
-
-if ( not dir ) then
- dir = '.'
-end
-
-dofile(dir .. '/snort_defaults.lua')
-
-local_rules =
-[[
-block http ( msg:"openAppId: test content match for app http";
-content:"X-Header: malicious"; sid:18760; rev:4; )
-]]
-
stream = { }
stream_tcp = { }
appid = { }
+local_rules =
+[[
+block http ( msg:"openAppId: test content match for app http";
+content:"X-Header: malicious"; sid:18760; rev:4; )
+]]
+
ips =
{
rules = local_rules,
memory for event_filters { 0:max32 }
* bool alerts.log_references = false: include rule references in
alert info (full only)
- * string alerts.order = pass drop alert log: change the order of
- rule action application
+ * string alerts.order = pass reset block drop alert log: change the
+ order of rule action application
* int alerts.rate_filter_memcap = 1048576: set available MB of
memory for rate_filters { 0:max32 }
* string alerts.reference_net: set the CIDR for homenet (for use
* multi network.checksum_drop = none: drop if checksum is bad { all
| ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }
- * multi network.checksum_eval = none: checksums to verify { all |
- ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }
+ * multi network.checksum_eval = all: checksums to verify { all | ip
+ | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }
* bool network.decode_drops = false: enable dropping of packets by
the decoder
* int network.id = 0: correlate unified2 events with configuration
* int snort.-z = 1: <count> maximum number of packet threads (same
as --max-packet-threads); 0 gets the number of CPU cores reported
by the system; default is 1 { 0:max32 }
- * implied snort.--alert-before-pass: process alert, drop, sdrop, or
- reject before pass; default is pass before alert, drop,…
+ * implied snort.--alert-before-pass: evaluate alert rules before
+ pass rules; default is pass rules first
* string snort.--bpf: <filter options> are standard BPF options, as
seen in TCPDump
* string snort.--c2x: output hex for given char (see also --x2c)
logdir instead of instance filename prefix
* implied snort.--id-zero: use id prefix / subdirectory even with
one packet thread
+ * string snort.--include-path: <path> where to find Lua and rule
+ included files; searched before current or config directories
* implied snort.--list-buffers: output available inspection buffers
* string snort.--list-builtin: [<module prefix>] output matching
builtin rules { (optional) }
* implied snort.--nolock-pidfile: do not try to lock Snort PID file
* implied snort.--pause: wait for resume/quit command before
processing packets/terminating
- * implied snort.--parsing-follows-files: parse relative paths from
- the perspective of the current configuration file
* string snort.--pcap-file: <file> file that contains a list of
pcaps to read - read mode is implied
* string snort.--pcap-list: <list> a space separated list of pcaps
* string snort.--script-path: <path> to a luajit script or
directory containing luajit scripts
* implied snort.--shell: enable the interactive command line
+ * implied snort.--show-file-codes: indicate how files are located:
+ A=absolute and W, F, C which are relative to the working
+ directory, including file, and config file respectively
* implied snort.--show-plugins: list module and plugin versions
* int snort.--skip: <n> skip 1st n packets { 0:max53 }
* int snort.--snaplen = 1518: <snap> set snaplen of packet (same as
line starting with END is read
* implied snort.--talos: enable Talos inline rule test mode (same
as --tweaks talos -Q -q)
- * implied snort.--treat-drop-as-alert: converts drop, sdrop, and
- reject rules into alert rules during startup
- * implied snort.--treat-drop-as-ignore: use drop, sdrop, and reject
+ * implied snort.--treat-drop-as-alert: converts drop, block, and
+ reset rules into alert rules when loaded
+ * implied snort.--treat-drop-as-ignore: use drop, block, and reset
rules to ignore session traffic when not inline
* string snort.--tweaks: tune configuration
* implied snort.--version: show version number (same as -V)
* HOSTTYPE: optional string that is output with the version at end
of line.
- * LUA_PATH: you must export as follows so LuaJIT can find required
- files.
-
- LUA_PATH=$install_dir/include/snort/lua/\?.lua\;\;
-
* SNORT_IGNORE: the list of symbols Snort should ignore when
parsing the Lua conf. Unknown symbols not in SNORT_IGNORE will
cause warnings with --warn-unknown or fatals with --warn-unknown
--pedantic.
- * SNORT_LUA_PATH: an optional path where Snort can find
- supplemental conf files such as classification.lua.
* SNORT_PROMPT: the character sequence that is printed at startup,
shutdown, and in the shell. The default is the mini-pig: o")~ .
* SNORT_PLUGIN_PATH: an optional path where Snort can find
* -z <count> maximum number of packet threads (same as
--max-packet-threads); 0 gets the number of CPU cores reported by
the system; default is 1 (0:max32)
- * --alert-before-pass process alert, drop, sdrop, or reject before
- pass; default is pass before alert, drop,…
+ * --alert-before-pass evaluate alert rules before pass rules;
+ default is pass rules first
* --bpf <filter options> are standard BPF options, as seen in
TCPDump
* --c2x output hex for given char (see also --x2c)
of instance filename prefix
* --id-zero use id prefix / subdirectory even with one packet
thread
+ * --include-path <path> where to find Lua and rule included files;
+ searched before current or config directories
* --list-buffers output available inspection buffers
* --list-builtin [<module prefix>] output matching builtin rules
(optional)
* --nolock-pidfile do not try to lock Snort PID file
* --pause wait for resume/quit command before processing packets/
terminating
- * --parsing-follows-files parse relative paths from the perspective
- of the current configuration file
* --pcap-file <file> file that contains a list of pcaps to read -
read mode is implied
* --pcap-list <list> a space separated list of pcaps to read - read
* --script-path <path> to a luajit script or directory containing
luajit scripts
* --shell enable the interactive command line
+ * --show-file-codes indicate how files are located: A=absolute and
+ W, F, C which are relative to the working directory, including
+ file, and config file respectively
* --show-plugins list module and plugin versions
* --skip <n> skip 1st n packets (0:max53)
* --snaplen <snap> set snaplen of packet (same as -s) (68:65535)
with END is read
* --talos enable Talos inline rule test mode (same as --tweaks
talos -Q -q)
- * --treat-drop-as-alert converts drop, sdrop, and reject rules into
- alert rules during startup
- * --treat-drop-as-ignore use drop, sdrop, and reject rules to
- ignore session traffic when not inline
+ * --treat-drop-as-alert converts drop, block, and reset rules into
+ alert rules when loaded
+ * --treat-drop-as-ignore use drop, block, and reset rules to ignore
+ session traffic when not inline
* --tweaks tune configuration
* --version show version number (same as -V)
* --warn-all enable all warnings
* int alert_sfsocket.rules[].sid = 1: rule signature ID { 1:max32 }
* bool alerts.log_references = false: include rule references in
alert info (full only)
- * string alerts.order = pass drop alert log: change the order of
- rule action application
+ * string alerts.order = pass reset block drop alert log: change the
+ order of rule action application
* int alerts.rate_filter_memcap = 1048576: set available MB of
memory for rate_filters { 0:max32 }
* string alerts.reference_net: set the CIDR for homenet (for use
}
* multi network.checksum_drop = none: drop if checksum is bad { all
| ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }
- * multi network.checksum_eval = none: checksums to verify { all |
- ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }
+ * multi network.checksum_eval = all: checksums to verify { all | ip
+ | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }
* bool network.decode_drops = false: enable dropping of packets by
the decoder
* int network.id = 0: correlate unified2 events with configuration
* string smtp.valid_cmds: list of valid commands
* enum smtp.xlink2state = alert: enable/disable xlink2state alert {
disable | alert | drop }
- * implied snort.--alert-before-pass: process alert, drop, sdrop, or
- reject before pass; default is pass before alert, drop,…
+ * implied snort.--alert-before-pass: evaluate alert rules before
+ pass rules; default is pass rules first
* string snort.-A: <mode> set alert mode: none, cmg, or alert_*
* addr snort.-B = 255.255.255.255/32: <mask> obfuscated IP
addresses in alerts and packet dumps using CIDR mask
* implied snort.--id-zero: use id prefix / subdirectory even with
one packet thread
* string snort.-i: <iface>… list of interfaces
+ * string snort.--include-path: <path> where to find Lua and rule
+ included files; searched before current or config directories
* port snort.-j: <port> to listen for Telnet connections
* enum snort.-k = all: <mode> checksum mode; default is all { all|
noip|notcp|noudp|noicmp|none }
* implied snort.-O: obfuscate the logged IP addresses
* string snort.-?: <option prefix> output matching command line
option quick help (same as --help-options) { (optional) }
- * implied snort.--parsing-follows-files: parse relative paths from
- the perspective of the current configuration file
* implied snort.--pause: wait for resume/quit command before
processing packets/terminating
* string snort.--pcap-dir: <dir> a directory to recurse to look for
* string snort.--script-path: <path> to a luajit script or
directory containing luajit scripts
* implied snort.--shell: enable the interactive command line
+ * implied snort.--show-file-codes: indicate how files are located:
+ A=absolute and W, F, C which are relative to the working
+ directory, including file, and config file respectively
* implied snort.--show-plugins: list module and plugin versions
* int snort.--skip: <n> skip 1st n packets { 0:max53 }
* int snort.--snaplen = 1518: <snap> set snaplen of packet (same as
* int snort.trace: mask for enabling debug traces in module {
0:max53 }
* implied snort.--trace: turn on main loop debug trace
- * implied snort.--treat-drop-as-alert: converts drop, sdrop, and
- reject rules into alert rules during startup
- * implied snort.--treat-drop-as-ignore: use drop, sdrop, and reject
+ * implied snort.--treat-drop-as-alert: converts drop, block, and
+ reset rules into alert rules when loaded
+ * implied snort.--treat-drop-as-ignore: use drop, block, and reset
rules to ignore session traffic when not inline
* implied snort.-T: test and report on the current Snort
configuration
change -> stream5_global: 'max_tcp' ==> 'max_sessions'
change -> stream5_global: 'max_udp' ==> 'max_sessions'
change -> stream5_global: 'min_response_seconds' ==> 'min_interval'
-change -> stream5_global: 'prune_log_max' ==> 'histogram'
change -> stream5_global: 'tcp_cache_nominal_timeout' ==> 'pruning_timeout'
change -> stream5_global: 'tcp_cache_pruning_timeout' ==> 'idle_timeout'
change -> stream5_global: 'udp_cache_nominal_timeout' ==> 'idle_timeout'
projects / thirdparty / snort3.git / commitdiff
